New “DoubleClickjacking” attack hijacks accounts via deceptive double-clicks, bypassing traditional defenses. Attackers create a mask that tricks users into clicking hidden buttons on legitimate sites. This can authorize harmful actions without iframe use. Vulnerable sites include major platforms like Shopify and Slack. Protection suggestions include JavaScript to disable sensitive buttons and HTTP headers to limit quick window switching.
New DoubleClickjacking attack exploits double-clicks to hijack accounts